We have a public facing web application that uses okta for authentication. We have a partner that would like us to use their IdP for SAML authentication. They have an application that consumers log into. From within that application, there will be a link to our application. We want them to pass a SAML token (since they are already authenticated with their IdP) with specific attributes/claims. Since we don't want the user to go through our self-registration/signon process, what is the URL they should be targeting and what do we need to do in our application to accept the SAML token, process JIT provisioning if needed, and put them into the application?

I can see how to add their IdP, but how do they call the application and yet allow for their IdP and JIT provisioning in our okta tenant?